Security NewsWatch

NSI Security NewsWatch Banner

A weekly roundup of news, trends and insights designed exclusively for security professionals. This publication is intended for security staff only.

View in Your Browser at


In this issue — May 17, 2017

  • DHS issues homegrown terror bulletin
  • Malware Case Is Major Blow for the N.S.A.
  • Cyber Command: Russian Hacking Is ‘the New Normal’
  • Connection Between Global Ransomware Attack and North Korea?
  • Government Deadline Looms for Training on Insider Threats
  • CIA Opens a New Office to Watch North Korea
  • DHS Considers Banning Carry-On Laptops on Flights from Europe
  • Trump Issues Cybersecurity Executive Order
  • Security Clearance Bureau Making Progress, but No Timeline to End Backlog
  • President’s Tweets Are a Gold Mine for Foreign Intelligence


DHS issues homegrown terror bulletin (, 5/17/17)

The Department of Homeland Security renewed a bulletin late Monday that warned of the dangers posed by homegrown terrorists and called the threat environment in the country one of the “most serious” since the 9/11 attacks. “We face one of the most serious terror threat environments since the 9/11 attacks as foreign terrorist organizations continue to exploit the Internet to inspire, enable, or direct individuals already here in the homeland to commit terrorist acts,” the bulletin, issued through the National Terrorism Advisory System, said.

An NTAS bulletin was first issued in December 2015 to “highlight the continuing threat from homegrown terrorists” and has been renewed three times previously with updated language. Monday’s bulletin, which is set to expire in November, includes new warnings on the techniques used by terrorists, like car attacks, that did not appear in the previous iteration. More


Malware Case Is Major Blow for the N.S.A. (NYT, 5/16/17)

National Security Agency officials grew increasingly concerned after a mysterious group calling itself the Shadow Brokers announced in August 2016 that it was auctioning off highly classified NSA hacking tools. In April the Shadow Brokers dumped dozens of the agency’s software exploits on the web, free to criminals and foreign spies alike. Since Friday, the agency has watched as malicious software based on its creations spread across the world, shutting down hospitals, disrupting rail traffic, and causing chaos in approximately 150 countries.

Michael Hayden, the director of NSA from 1999 to 2005, said he had defended it for years in debates over civil liberties. “But I cannot defend an agency having powerful tools if it cannot protect the tools and keep them in its own hands,” he said. Software experts said that the group’s dump of NSA tools in April included additional exploits that are “wormable” — meaning they could spread rapidly, like the ransomware attack — and that it might well have more NSA malware it has not yet released. The failure to keep its own hacking tools out of the hands of criminals and other adversaries casts the agency’s actions in a harsh new light, prompting critics to question anew whether the agency can be trusted to develop and protect such potent hacking tools. More


Cyber Command: Russian Hacking Is ‘the New Normal’ (Defense Systems, 5/15/17)   Admiral Michael S. Rogers, head of US Cyber Command, called Russia’s cyber operations “destabilizing.”  During recent exchanges on Capitol Hill, Rogers appeared to be in agreement with the US intelligence community that Russia’s election interference is likely to be a new normal.   Russian President Vladimir Putin “figured that he was no military match for the United States, but he could launch a Manhattan Project for cyberattacks,” Rep. Jamie Raskin, D-Md., declared last month at a hearing of the House Oversight and Government Reform information technology subcommittee.  It is still an open question how the United States will fight back, whether it’s Russia or another foreign hacking onslaught.  Officials and experts warn that it is time for fresh thinking on how to combat these threats, both in government agencies and in the cybersecurity industry. More


Connection Between Global Ransomware Attack and North Korea? (Dark Reading, 5/15/17)   Newly discovered clues in the still-spreading massive ransomware worm WannaCry reveal some common threads between code used in the attacks with that of a nation-state attack group thought to be out of North Korea, the so-called Lazarus Group.  The WannaCry ransomware worm wriggling its way worldwide through vulnerable Windows systems across various industry sectors, meanwhile, appears to have slowed dramatically in the wake of two kill-switch mechanisms employed by security researchers.   Security researchers say the possible link between WannaCry and the Lazarus Group is traced back to a February 2017 WannaCry cryptor sample that very closely resembles a malware sample from the Lazarus Group two years before.  Lazarus Group has been credited with the massive 2014 breach of Sony Pictures.  Speculation of a possible North Korea connection went live this week after a Google researcher posted a tweet showing similar code elements of the two pieces of malware. More


Government Deadline Looms for Training on Insider Threats (, 5/15/17)

Almost one year ago, on May 18, 2016, the Department of Defense (DoD) published Change Two to DoD 5220.22-M, the Department of Defense’s “National Industrial Security Operating Manual (NISPOM).” This change required all contractors to establish and maintain an insider threat program to detect, deter and mitigate insider threats. In connection with the NISPOM change, the DoD published Industrial Security Letter 2016-02 (ISL 2016-02), to provide additional information and guidance as to how to comply with the new requirements. While the bulk of the requirements contained therein involved corporate-level programs and policies which were to have been established last year, it also established new training requirements that apply to all employees, including those already cleared and granted access to government information.What this means to you is that every employee in your organization must complete the required training prior to May 31, 2017, even if they already have clearance and have previously been granted access to government information. More



Help Your Employees Connect to the “Why” in Security

Protecting classified and sensitive information depends more than ever on the human element of security — employees. The sad fact is, employees are still the weakest link in the security chain because they’re not trained to be security-conscious. A report by Ernst & Young finds that “security awareness programs at many organizations are weak, half-hearted and ineffectual.” As a result, employees ignore them. Many employees are not invested in the process because they don’t understand what’s in it for them.

What you can do about it: A simple, proven approach.

Now you can gain visibility and buy-in for your security program with the EMPLOYEE SECURITY CONNECTION – the proven security awareness solution exclusively for cleared defense contractors and government agencies.  It’s the best way to ensure your employees are prepared for your next government security inspection.  To learn more about how this valuable resource can help motivate your employees to practice good security habits…help you achieve better inspection results…and satisfy a major NISPOM awareness requirement… please click on the following link:



CIA Opens a New Office to Watch North Korea (Defense One, 5/13/17)   Two years after the CIA reorganized itself to create 10 “mission centers,” the spy agency is adding a new one devoted specifically to North Korea.  Then-director John Brennan launched that 2015 restructuring — it also created the Directorate for Digital Innovation, the agency’s first new directorate in half a century — to modernize the agency and eliminate stovepipes between its analysts, agents, and hackers.   Instead of offices built around kinds of expertise, the new mission centers house cross-functional teams focusing on a threat or a region.  That allows them to “harness the full range of CIA’s operational, analytic, support, technical and digital capabilities,” the CIA said.  The new Korea Mission Center at CIA headquarters in Virginia is intended to do the same thing for a country that at least one intelligence expert calls “the hardest of hard targets.” More


DHS Considers Banning Carry-On Laptops on Flights from Europe (NPR, 5/12/17)   Almost two months after the Department of Homeland Security instituted a ban on large electronics on US-bound flights from several countries in the Middle East, the agency is considering expanding the prohibition to flights from Europe.  The current ban applies to 10 airports in eight countries: Egypt, Jordan, Kuwait, Morocco, Turkey, Saudi Arabia, Qatar and the United Arab Emirates, and applies to about 50 flights a day.    An expansion of the restrictions to flights from Europe could have a substantially greater impact on air travel.  The current rule still allows passengers to take phones inside the cabin, but forces them to check any larger electronic items, including laptops and tablets.  Airline executives met with officials from the Department of Homeland Security to discuss the issue last week, but the meeting ended with no announcement of a change in policy. More


Trump Issues Cybersecurity Executive Order (Dark Reading, 5/11/17)   President Donald Trump last week signed an executive order on cybersecurity that squarely places on the shoulders of agency heads the security of their networks, systems, and data, as well as requiring their adoption of the NIST’s cybersecurity risk framework of best security practices.  The EO, which has been in the works and revised a few times after fits and starts by the administration, for the most part echoes and builds on the policies of previous administrations, including FISMA and the Obama administration’s critical infrastructure EO.   The “Strengthening US Cyber Security and Critical Infrastructure” EO generally was well-received by cybersecurity experts in policy and technology, with a mix of views over whether it’s a game-changer and how it will roll out.  Among the key elements is a call for modernizing and consolidating government network technologies and infrastructures; a report on technology supply chain risks to DoD; an assessment of disruption of the nation’s power grid; and a call for skilled cybersecurity talent. More


Security Clearance Bureau Making Progress, but No Timeline to End Backlog (NextGov, 5/10/17)   The National Background Investigations Bureau has made significant progress hiring investigators and developing new tools but does not have a deadline yet for when it will clear out a substantial backlog in clearance seekers, an official said last week.  Those wait times typically extend more than 200 days for an initial top secret clearance.   The bureau hired about 400 investigators last year and expects to hire about 180 more this year, Jim Onusko, director of the bureau’s Federal Investigative Records Enterprise, told an advisory panel.  Then-President Barack Obama launched NBIB in January 2016 after the OPM breach compromised highly sensitive security clearance information about more than 20 million current and former federal employees and their families. More


President’s Tweets Are a Gold Mine for Foreign Intelligence (The Federalist, 5/9/17)   As I recently watched President Donald Trump fulminate against hearings in the Senate, it occurred to me that I was getting a real-time look at how the president of the United States reacts to stress.  More important, it also occurred to me that I was not the only one getting a raw feed of the president’s thoughts and emotions; any foreign intelligence analyst worth his or her salt was almost certainly taking copious notes.   As well they should.  Trump’s tweets, from an intelligence standpoint, are a gold mine.  Not because they contain classified information or reveal important aspects of US policy, but because they are a direct and continuous stream of information about the president himself.  Classified information is important, but an ongoing look inside the president’s head is, in many ways, more valuable than any transitory secrets. More


Keep Getting This Newsletter To ensure delivery to your inbox (not bulk or junk folders), please add to your address book. TO SUBSCRIBE: If you were sent this by a colleague and wish to subscribe to NSI’s complementary Security NewsWatch e-newsletter, visit TO UNSUBSCRIBE: This news service comes to you from the news team at the National Security Institute. If you do not wish to receive it in the future, please reply to this e-mail with the subject line “Un-subscribe.” Please feel free to share this e-mail with your colleagues and encourage them to sign up to get their own copy at

ADVERTISERS: For information about sponsoring this e-letter, contact or call 508-533-9099.

National Security Institute 165 Main Street, Suite 215 Medway, MA 02053 Tel: 508-533-9099 Fax: 508-507-3631 Internet: